Bug 1850540
Summary: | [RHEL8/Bug] SELinux violation iptables to plymouth | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Oliver Falk <ofalk> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8.2 | CC: | lvrabec, mmalik, peter.vreman, plautrba, ssekidde, zpytela |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-01-12 15:46:13 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1122832 |
Description
Oliver Falk
2020-06-24 13:18:55 UTC
Oliver, We need more information to be able to assess this issue. Please gather audited AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot The reproducing steps would also be helpful when available, or a list of related changes made to the default state of the system. Hey Zdenek! I tried to find a reproducer but failed until now. I'll ask the CU to provide me with the data from your mentioned ausearch! I'm going to get back to you, once I have the information! Thanks, Oliver Thanks Peter for directly providing the additional information here on this BZ - I've put them now "private", since this BZ is open. @Zdenek, can you work with this additional information? Oliver Hi all, Thank for sharing the details. It needs to be figured out why plymouth runs in iptables_t domain. # sesearch -A -s iptables_t -t plymouthd_t -c unix_stream_socket -p connectto <> # sesearch -A -s plymouth_t -t plymouthd_t -c unix_stream_socket -p connectto allow plymouth_t plymouthd_t:unix_stream_socket connectto; I was unable to reproduce it with just installing and enabling iptables-service, so wonder what else is required to trigger these denials. Closing per feedback the issue is no longer valid. |